1 / 14

Definitions

Definitions. _____--. a particular collection of value assignments (i.e. to computer registers, memory, secondary stores, relevant network devices, etc. ______________--. a state that deals only with assignments relevant to security/protection. ___ _ --.

martena-richardson
Télécharger la présentation

Definitions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Definitions _____-- a particular collection of value assignments (i.e. to computer registers, memory, secondary stores, relevant network devices, etc. ______________-- a state that deals only with assignments relevant to security/protection ____ -- the set of all possible protection states (i.e., a universal set) ____ -- the set of all authorized protection states _________-- state s is safe iff s ______ -- security has been breached whenever a system enters state s for which s _____________-- a security policy should define what constitutesPauth __________________-- a security mechanism should ensure that a system never reaches a state in

  2. Confidentiality Policy a is confidential to siff other subjects ____________________a. Integrity Policy a has integrity to s iff s_________a. Availability Policy a is available to s iff s is __________________a. Expressing Policy If a policy is Pauth, then why is it impractical to enumerate Pauth? a better solution: define policy in terms of who has access to what Subject(s) and Asset (a).

  3. Policy Models policy model -- a set of policies (abstractly, a set of policy properties) Consider a policy for maintaining the confidentiality of government documents. -- assets -- subjects

  4. Multi-level Confidentiality Model Simple Security Property Subject scan read asset a iff clearance(s) ≥ classification(a) This property has been widely used for years. However, the Simple Security Property only applies to reads. What about writes?

  5. Bell - LaPadula Model a multi-level confidentiality model circa 1986 Simple Security Property Subject scan read asset a iff clearance(s) ≥ classification(a) *-Property Subject s can write to asset a iff clearance(s) classification(a) Another Issue: Why does the Simple Security Property not enforce a Need-to-know policy?

  6. Codewords It is common to include codewords in addition to classification and clearance. (e.g., DesertStorm, Umbra) In this system a security classification/clearance consists of an ordered pair: ( level, set of codewords ) We can define access using a dominance relation, dom, as follows: let clearance(s) = ( sLevel, sCodewords) classification(a) = ( aLevel, aCodewords ) dom(s, a) means sLevel ≥ aLevel and c [(c  aCodewords)  (c  sCodewords)] Example v = (TopSecret, {Iraq, Iran, Nato, China)} w = (Secret, {Iraq}) x = (TopSecret, {Nato}) y = (Confidential, {Nato}) z = (Confidential, {Iran, Iraq, Nato})

  7. BLP Restated A system is said to be secure (in the sense of confidentiality) given that it maintains the following two properties: Simple Security Property Subject scan read asset a iff ( dom(s, a) and read acm[s, a] ) *-Property Subject s can write to asset a iff ( dom(a,s) and write acm[s, a] )

  8. BLP Questions Simple Security Property Subject scan read asset a iff ( dom(s, a) and read acm[s, a] ) *-Property Subject s can write to asset a iff ( dom(a,s) and write acm[s, a] ) Following these properties is it possible for someone write to a document they cannot read? Following these properties is it possible for someone read a document they cannot write? How can a superior communicate with a subordinate?

  9. Principle of Tranquility Raising an asset’s security level This has little impact except for future limited access. Lowering an asset’s security level This violates the *-property. Solution: Two Types of Tranquility Strong Tranquility Neither clearances nor classifications change throughout the system’s lifetime. Weak Tranquility Clearances and classifications can only change in a way that preserves both the simple security property and the *-property.

  10. write only down read only up Biba Integrity Model Ken Biba, 1975 Simple Security Property Subject scan write asset a iff integrity(s) integrity(a) *-Property Subject s can read to asset a iff integrity(s) integrity(a) Execute Property Action p1 can execute an action p2 iff integrity(p1) integrity(p2) Low water mark principle High water mark principle

  11. Top Secret Secret Confidential Unclassified S1 S2 S3 S4 Asset Group 2 Asset Group 1 Asset Group 3 Multi-level vs. Multi-lateral Multi-level Models Multi-lateral Models

  12. Chinese Wall Model a multi-lateral hybrid model, Brewer & Nash 1989 This model is often used in the service industry where knowledge of sensitive information comes from multiple different competing and non-competing companies. (e.g. consulting companies, law practices, insurance companies) Example A financial consulting firm has the following clients: Oracle, Microsoft, General Motors, Ford Motor Co. and Toyota. Consider the potential conflicts of interest.

  13. Chinese Wall Model Consider that assets are partitioned into conflict of interest groups (industrial competitors). Simple Security Property Subject scan read asset aiff a' (a’ readable by s)[ company(a)  competitors(company(a')) ] OR company(a) = company(a') ] *-Property Subject s can write to asset aiff a satisfies the Simple Security Property for s AND a' (a’ readable by s)[ competitors(company(a')) =  OR company(a) = company(a') ] ]

  14. Clark-Wilson Model a security model of double-entry book keeping, 1987 Rules (numbered to match Bishop) CR1. The system has procedures to verify the integrity of every constrained data item (CDI). CR2. A CDI’s integrity must be maintained whenever a transformation procedure (TP) is applied. ER1. The only way to change a CDI is by applying a proper TP. ER2. Subjects can only initiate selected TPs on selected CDIs. CR3. The Rule ER2 restrictions must enforce an appropriate separation of duty policy on subjects. CR4. The application of a TP must store enough info in an append-only CDI to be able to reconstruct the transaction. CR5. Certain special TPs can produce CDIs from unrestricted data. ER3. The system must authenticate subjects attempting to initiate a TP. ER4. Only special subjects (i.e., security officers) are permitted to alter authorized-related data.

More Related